src/man/sssd-ad.5.xml

	sssd-ad.5.xml revision ff4b603cc14ea6ea15caaf89a03e927920124af4
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<?xml version="1.0" encoding="UTF-8"?>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<reference>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<title>SSSD Manual pages</title>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<refentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    <refmeta>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <refentrytitle>sssd-ad</refentrytitle>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <manvolnum>5</manvolnum>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    </refmeta>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    <refnamediv id='name'>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <refname>sssd-ad</refname>
7b58d637c20f87e1e49ffc1d49a4de8b25ef06bbJakub Hrozek        <refpurpose>SSSD Active Directory provider</refpurpose>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    </refnamediv>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    <refsect1 id='description'>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <title>DESCRIPTION</title>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            This manual page describes the configuration of the AD provider
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            for
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <refentrytitle>sssd</refentrytitle>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <manvolnum>8</manvolnum>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            </citerefentry>.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            For a detailed syntax reference, refer to the <quote>FILE FORMAT</quote> section of the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <refentrytitle>sssd.conf</refentrytitle>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <manvolnum>5</manvolnum>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            </citerefentry> manual page.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            The AD provider is a back end used to connect to an Active
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            Directory server. This provider requires that the machine be
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            joined to the AD domain and a keytab is available.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            The AD provider supports connecting to Active Directory 2008 R2
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            or later. Earlier versions may work, but are unsupported.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
728a1812b7c5f70febb522342c5b357da598acfeJakub Hrozek        <para>
728a1812b7c5f70febb522342c5b357da598acfeJakub Hrozek            The AD provider is able to provide identity information and
728a1812b7c5f70febb522342c5b357da598acfeJakub Hrozek            authentication for entities from trusted domains as well. Currently
728a1812b7c5f70febb522342c5b357da598acfeJakub Hrozek            only trusted domains in the same forest are recognized.
728a1812b7c5f70febb522342c5b357da598acfeJakub Hrozek        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            The AD provider accepts the same options used by the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <refentrytitle>sssd-ldap</refentrytitle>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <manvolnum>5</manvolnum>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            </citerefentry> identity provider and the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <refentrytitle>sssd-krb5</refentrytitle>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <manvolnum>5</manvolnum>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            </citerefentry> authentication provider with some exceptions described
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            below.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            However, it is neither necessary nor recommended to set these
61804568ce5ede3b1a699cda17c033dd6c23f0e3Sumit Bose            options. The AD provider can also be used as an access, chpass and
61804568ce5ede3b1a699cda17c033dd6c23f0e3Sumit Bose            sudo provider. No configuration of the access provider is required
61804568ce5ede3b1a699cda17c033dd6c23f0e3Sumit Bose            on the client side.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher        <para>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher            By default, the AD provider will map UID and GID values from the
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher            objectSID parameter in Active Directory. For details on this, see
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher            the <quote>ID MAPPING</quote> section below. If you want to
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher            disable ID mapping and instead rely on POSIX attributes defined in
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher            Active Directory, you should set
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher            <programlisting>
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagherldap_id_mapping = False
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher            </programlisting>
4343b618051d295cbb1a805a85feb117a91c6945Jakub Hrozek            In order to retrieve users and groups using POSIX attributes from trusted
4343b618051d295cbb1a805a85feb117a91c6945Jakub Hrozek            domains, the AD administrator must make sure that the POSIX attributes
4343b618051d295cbb1a805a85feb117a91c6945Jakub Hrozek            are replicated to the Global Catalog.
4343b618051d295cbb1a805a85feb117a91c6945Jakub Hrozek        </para>
4343b618051d295cbb1a805a85feb117a91c6945Jakub Hrozek        <para>
c7a4383b3b5549d0627c21bb02bd5f0bd46a3531Jakub Hrozek            Users, groups and other entities served by SSSD are always treated as
c7a4383b3b5549d0627c21bb02bd5f0bd46a3531Jakub Hrozek            case-insensitive in the AD provider for compatibility with Active
c7a4383b3b5549d0627c21bb02bd5f0bd46a3531Jakub Hrozek            Directory's LDAP implementation.
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    </refsect1>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
65a8e6e655c22027d3e02ea697972111f2a33e33Jakub Hrozek    <refsect1 id='configuration-options'>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <title>CONFIGURATION OPTIONS</title>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>Refer to the section <quote>DOMAIN SECTIONS</quote> of the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            <citerefentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <refentrytitle>sssd.conf</refentrytitle>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <manvolnum>5</manvolnum>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            </citerefentry> manual page for details on the configuration of an SSSD domain.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            <variablelist>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    <term>ad_domain (string)</term>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    <listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            Specifies the name of the Active Directory domain.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            This is optional. If not provided, the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            configuration domain name is used.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            For proper operation, this option should be
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            specified as the lower-case version of the long
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            version of the Active Directory domain.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        </para>
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose                        <para>
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose                            The short domain name (also known as the NetBIOS
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose                            or the flat name) is autodetected by the SSSD.
4cdaf239d4504966bed8ecd5e3fa07def74c7302Sumit Bose                        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    </listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                </varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <varlistentry>
294e9a5521d327c5cdc49beeb9cb9e703b3134f1Jan Zeleny                    <term>ad_server, ad_backup_server (string)</term>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    <listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        <para>
02ec52b73c1714b877b0b7bc43fbc8d36ad8ca40Jakub Hrozek                            The comma-separated list of
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            hostnames of the AD servers to which SSSD should
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            connect in order of preference. For more
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            information on failover and server redundancy, see
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            the <quote>FAILOVER</quote> section.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            This is optional if autodiscovery is enabled.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            For more information on service discovery, refer
c0d9babd59c81c12ca182ab3a72176d4fae494a4Yuri Chornoivan                            to the <quote>SERVICE DISCOVERY</quote> section.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    </listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                </varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                <varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    <term>ad_hostname (string)</term>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    <listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            Optional. May be set on machines where the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            hostname(5) does not reflect the fully qualified
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            name used in the Active Directory domain to
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            identify this host.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            This field is used to determine the host principal
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            in use in the keytab. It must match the hostname
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                            for which the keytab was issued.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                    </listitem>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher                </varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                <varlistentry>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                    <term>ad_enable_dns_sites (boolean)</term>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                    <listitem>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                        <para>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                            Enables DNS sites - location based
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                            service discovery.
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                        </para>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                        <para>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                            If true and service discovery (see Service
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                            Discovery paragraph at the bottom of the man page)
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                            is enabled, the SSSD will first attempt to discover
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                            the Active Directory server to connect to using the
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                            Active Directory Site Discovery and fall back to
de4ce3477497c20416c6397adb520bb60f3c6d28Jakub Hrozek                            the DNS SRV records if no AD site is found. The
de4ce3477497c20416c6397adb520bb60f3c6d28Jakub Hrozek                            DNS SRV configuration, including the discovery
de4ce3477497c20416c6397adb520bb60f3c6d28Jakub Hrozek                            domain, is used during site discovery as well.
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                        </para>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                        <para>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                            Default: true
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                        </para>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                    </listitem>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina                </varlistentry>
a679f0167b646cffdae86546ed77e105576991b0Pavel Březina
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                <varlistentry>
7a7fe9ace6990f20bddccfbb8fbbe91204df979eYassir Elley                    <term>ad_access_filter (string)</term>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                    <listitem>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                        <para>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                            This option specifies LDAP access control
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                            filter that the user must match in order
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                            to be allowed access. Please note that the
19d56eacc786d83fcea1805743370c53098ef552Jakub Hrozek                            <quote>access_provider</quote> option must be
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                            explicitly set to <quote>ad</quote> in order
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                            for this option to have an effect.
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                        </para>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                        <para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            The option also supports specifying different
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            filters per domain or forest. This
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            extended filter would consist of:
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            <quote>KEYWORD:NAME:FILTER</quote>.
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            The keyword can be either <quote>DOM</quote>,
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            <quote>FOREST</quote> or missing.
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        </para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        <para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            If the keyword equals to <quote>DOM</quote>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            or is missing, then <quote>NAME</quote> specifies
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            the domain or subdomain the filter applies to.
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            If the keyword equals to <quote>FOREST</quote>,
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            then the filter equals to all domains from the
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            forest specified by <quote>NAME</quote>.
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        </para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        <para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            Multiple filters can be separated with the
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            <quote>?</quote> character, similarly to how
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            search bases work.
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        </para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        <para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            The most specific match is always used. For
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            example, if the option specified filter
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            for a domain the user is a member of and a
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            global filter, the per-domain filter would
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            be applied.  If there are more matches with
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            the same specification, the first one is used.
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        </para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                        <para>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek                            Examples:
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                        </para>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                        <programlisting>
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek# apply filter on domain called dom1 only:
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozekdom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek# apply filter on domain called dom2 only:
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub HrozekDOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub Hrozek# apply filter on forest called EXAMPLE.COM only:
1ce58f139699dd26b8888f4131c996263b6a80a5Jakub HrozekFOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                        </programlisting>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                        <para>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                            Default: Not set
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                        </para>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                    </listitem>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek                </varlistentry>
8a05fd320a44636d120a18eb7e9956c7b35b3138Jakub Hrozek
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek                <varlistentry>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek                    <term>ad_enable_gc (boolean)</term>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek                    <listitem>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek                        <para>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek                            By default, the SSSD connects to the Global
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                            Catalog first to retrieve users from trusted
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                            domains and uses the LDAP port to retrieve
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                            group memberships or as a fallback. Disabling
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                            this option makes the SSSD only connect to
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                            the LDAP port of the current AD server.
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                        </para>
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                        <para>
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                            Please note that disabling Global Catalog support
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                            does not disable retrieving users from trusted
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                            domains. The SSSD would connect to the LDAP port
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                            of trusted domains instead. However, Global
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                            Catalog must be used in order to resolve
fdaaf2525e333af04ee9b48429b6766b5fd6cab6Jakub Hrozek                            cross-domain group memberships.
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek                        </para>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek                        <para>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek                            Default: true
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek                        </para>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek                    </listitem>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek                </varlistentry>
ba4a81e933deebb416603369b447ead6ebaa040dJakub Hrozek
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                <varlistentry>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                    <term>ad_gpo_access_control (string)</term>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                    <listitem>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                        <para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            This option specifies the operation mode for
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            GPO-based access control functionality:
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            whether it operates in disabled mode, enforcing
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            mode, or permissive mode. Please note that the
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            <quote>access_provider</quote> option must be
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            explicitly set to <quote>ad</quote> in order for
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            this option to have an effect.
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                        </para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                        <para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            GPO-based access control functionality uses GPO
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            policy settings to determine whether or not a
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            particular user is allowed to logon to a particular
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            host.
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                        </para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                        <para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            NOTE: If the operation mode is set to enforcing, it
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            is possible that users that were previously allowed
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            logon access will now be denied logon access (as
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            dictated by the GPO policy settings). In order to
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            facilitate a smooth transition for administrators,
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            a permissive mode is available that will not enforce
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            the access control rules, but will evaluate them and
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            will output a syslog message if access would have
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            been denied. By examining the logs, administrators
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            can then make the necessary changes before setting
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            the mode to enforcing.
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                        </para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                        <para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            There are three supported values for this option:
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            <itemizedlist>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                <listitem>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                    <para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                        disabled: GPO-based access control rules
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                        are neither evaluated nor enforced.
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                    </para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                </listitem>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                <listitem>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                    <para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                        enforcing: GPO-based access control
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                        rules are evaluated and enforced.
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                    </para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                </listitem>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                <listitem>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                    <para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                        permissive: GPO-based access control
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                        rules are evaluated, but not enforced.
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                        Instead, a syslog message will be
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                        emitted indicating that the user would
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                        have been denied access if this option's
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                        value were set to enforcing.
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                    </para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                                </listitem>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            </itemizedlist>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                        </para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                        <para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                            Default: permissive
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                        </para>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                    </listitem>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley                </varlistentry>
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                <varlistentry>
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                    <term>ad_gpo_cache_timeout (integer)</term>
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                    <listitem>
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                        <para>
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                            The amount of time between lookups of GPO policy
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                            files against the AD server. This will reduce the
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                            latency and load on the AD server if there are
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                            many access-control requests made in a short
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                            period.
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                        </para>
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                        <para>
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                            Default: 5 (seconds)
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                        </para>
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                    </listitem>
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley                </varlistentry>
ff4b603cc14ea6ea15caaf89a03e927920124af4Yassir Elley
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                <varlistentry>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    <term>dyndns_update (boolean)</term>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    <listitem>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            Optional. This option tells SSSD to automatically
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            update the Active Directory DNS server with
31c1f3a2e699fad82258aab83d756e1e7ca923a2Jakub Hrozek                            the IP address of this client. The update is
31c1f3a2e699fad82258aab83d756e1e7ca923a2Jakub Hrozek                            secured using GSS-TSIG. As a consequence, the
31c1f3a2e699fad82258aab83d756e1e7ca923a2Jakub Hrozek                            Active Directory administrator only needs to
593c4a91596640eafe798e8aac700d0f3ce7ba37Ondrej Kos                            allow secure updates for the DNS zone. The IP
593c4a91596640eafe798e8aac700d0f3ce7ba37Ondrej Kos                            address of the AD LDAP connection is used for
593c4a91596640eafe798e8aac700d0f3ce7ba37Ondrej Kos                            the updates, if it is not otherwise specified
593c4a91596640eafe798e8aac700d0f3ce7ba37Ondrej Kos                            by using the <quote>dyndns_iface</quote> option.
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            NOTE: On older systems (such as RHEL 5), for this
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            behavior to work reliably, the default Kerberos
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            realm must be set properly in /etc/krb5.conf
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
ad1be6fd04234f61f108773ff39aa7485abda47cJakub Hrozek                            Default: true
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    </listitem>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                </varlistentry>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                <varlistentry>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    <term>dyndns_ttl (integer)</term>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    <listitem>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            The TTL to apply to the client DNS record when updating it.
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            If dyndns_update is false this has no effect. This will
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            override the TTL serverside if set by an administrator.
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            Default: 3600 (seconds)
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    </listitem>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                </varlistentry>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                <varlistentry>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    <term>dyndns_iface (string)</term>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    <listitem>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            Optional. Applicable only when dyndns_update
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            is true. Choose the interface whose IP address
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            should be used for dynamic DNS updates.
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
65e454c64dbeb4b74e0cc4ad952a54861dc0c3e4Jakub Hrozek                            Default: Use the IP address of the AD LDAP connection
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    </listitem>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                </varlistentry>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                <varlistentry>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    <term>dyndns_refresh_interval (integer)</term>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    <listitem>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            How often should the back end perform periodic DNS update in
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            addition to the automatic update performed when the back end
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            goes online.
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            This option is optional and applicable only when dyndns_update
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            is true.
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            Default: 86400 (24 hours)
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    </listitem>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                </varlistentry>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                <varlistentry>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    <term>dyndns_update_ptr (bool)</term>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    <listitem>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            Whether the PTR record should also be explicitly
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            updated when updating the client's DNS records.
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            Applicable only when dyndns_update is true.
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            Default: True
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    </listitem>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                </varlistentry>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                <varlistentry>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    <term>dyndns_force_tcp (bool)</term>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    <listitem>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            Whether the nsupdate utility should default to using
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            TCP for communicating with the DNS server.
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        <para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                            Default: False (let nsupdate choose the protocol)
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                        </para>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                    </listitem>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek                </varlistentry>
74e95cfd9d3939dfe9417d79d2f6fc79b361405fJakub Hrozek
591b0325f5d6f70ae71e61a8c563b437acfb1884Jakub Hrozek                <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/override_homedir.xml" />
ae0a5011e2644eaa482ea1b9e1451eff05c676b9Lukas Slebodnik                <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/homedir_substring.xml" />
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                <varlistentry>
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                    <term>krb5_use_enterprise_principal (boolean)</term>
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                    <listitem>
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                        <para>
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                            Specifies if the user principal should be treated
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                            as enterprise principal. See section 5 of RFC 6806
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                            for more details about enterprise principals.
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                        </para>
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                        <para>
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                            Default: true
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                        </para>
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                        <para>
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                             Note that this default differs from the
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                             traditional Kerberos provider back end.
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                        </para>
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                    </listitem>
edaa983d094c239c3e1ba667bcd20ed3934be3b8Sumit Bose                </varlistentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            </variablelist>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    </refsect1>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/ldap_id_mapping.xml" />
5f879ab8b6c1cefbc63e1c2303f79b09b6246ca3Stephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    <refsect1 id='example'>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <title>EXAMPLE</title>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            The following example assumes that SSSD is correctly
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            configured and example.com is one of the domains in the
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            <replaceable>[sssd]</replaceable> section. This example shows only
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher            the AD provider-specific options.
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        <para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher<programlisting>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher[domain/EXAMPLE]
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagherid_provider = ad
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagherauth_provider = ad
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagheraccess_provider = ad
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagherchpass_provider = ad
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagherad_server = dc1.example.com
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagherad_hostname = client.example.com
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagherad_domain = example.com
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozek</programlisting>
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozek        </para>
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozek    </refsect1>
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozek
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozek    <refsect1 id='notes'>
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozek        <title>NOTES</title>
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozek        <para>
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozek            The AD access control provider checks if the account is expired.
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozek            It has the same effect as the following configuration of the LDAP
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozek            provider:
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozek<programlisting>
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozekaccess_provider = ldap
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozekldap_access_order = expire
d231e95b0a5e1bd377f67e041e8b502a79fdc605Jakub Hrozekldap_account_expire_policy = ad
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher</programlisting>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher        </para>
8cc00c355862f5573f884efe828aa4c0f855376aJakub Hrozek        <para>
8cc00c355862f5573f884efe828aa4c0f855376aJakub Hrozek            However, unless the <quote>ad</quote> access control provider
8cc00c355862f5573f884efe828aa4c0f855376aJakub Hrozek            is explicitly configured, the default access provider is
b3f56d9e4bd065590383eb1f812a3b77e3c56f24Jakub Hrozek            <quote>permit</quote>. Please note that if you configure an
b3f56d9e4bd065590383eb1f812a3b77e3c56f24Jakub Hrozek            access provider other than <quote>ad</quote>, you need to set
b3f56d9e4bd065590383eb1f812a3b77e3c56f24Jakub Hrozek            all the connection parameters (such as LDAP URIs and encryption
b3f56d9e4bd065590383eb1f812a3b77e3c56f24Jakub Hrozek            details) manually.
8cc00c355862f5573f884efe828aa4c0f855376aJakub Hrozek        </para>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    </refsect1>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher</refentry>
03532fb1cbb7e8c1d5cf2e93aa3719f926631cabStephen Gallagher</reference>